The advancing tide of rationalisation

I spent a week in New York at the beginning of December, and I heard the dreaded 'R' word fall from the lips of op risk executives, technology vendors and consultants alike. Essentially, firms have woken up to the fact that they have put in place processes that overlap and are producing colossal levels of frustration at the business unit level. One op risk executive confessed to me that an analysis of the various regulatory 'information gathering' activities that take place at his bank every year has produced a shocking nine rounds of self-assessments that some business lines had to complete.

Now that's a lot of red tape. The overlap stems from self-assessment-type procedures that audit, operational risk, the SOX team, the compliance department and others are following within firms. Some firms are trying to better co-ordinate these various self-assessment programmes units, while others are creating distinct self-assessment units that are taking charge of the self-assessment programmes. Still other firms are putting one existing unit – such as operational risk – in charge of co-ordinating self-assessments across firms.

Indeed, one common theme was that there didn't seem to be a common theme as to how firms were implementing this rationalisation. The plan seemed to be dictated by internal politics, human resources and regulatory drivers at individual firms. There were as many combinations of rationalisation ingredients as there are personal ways to assemble fajitas.

But one trend seemed to stand out – that the role of the operational risk department as a result of this rationalisation process is growing. Firms are keen to make their compliance departments more 'risk-based' in response to regulatory demands, and to change their approach from one that is focused on ticking boxes to one that understands the challenges their business units face.

This is very exciting, and it is a theme that we will be touching on in our upcoming OpRisk Europe and OpRisk USA conferences. Operational risk executives should seek to outline the tone of the debate within their firms when it comes to these changes, and demonstrate that all of the hard work done over the past several years has created a 'ready-made' risk-based framework to deal with issues as varied as money-laundering prevention, internal fraud, processing errors and terrorist attacks.

I expect that 2007 will be a year of dynamic change for both operational risk and compliance executives, and I also believe that at the end of this year, many firms will be in a far stronger, risk-based place.

Have a good month!